The transfer and use of personal data is a complex matter that cannot be adequately addressed on this site. Duke researchers who wish to transfer or use personal data should contact the ORC to initiate a debate on the transfer or use of the proposed data. In addition, the transmission agreement must reflect the fact that a subcontractor will do so: as a summary only and not as a complete guide for the transmission or use of the data, The transmission and use of data is generally governed by a number of important considerations, including those relating to Duke IRB rules, the amended Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), to ethical considerations, whether or not the transmission and/or use of the data are subject to contractual restrictions. A researcher wishing to transfer or use data should be prepared to discuss with the ORC, among other things: the purpose of transmission; The identities of the taker and sound; The nature of the data to be transmitted (personal data? contain identifiers?) Whether the data was collected as part of a research study or standard of care and, in the case of a research study, whether there are third-party restrictions; Whether a consent form applies to informed information allows the use or transfer of proposed data; How data should be transferred Whether patents are data-related and whether samples are sent with or in conjunction with the data. To respond to information management, it is necessary to put in place a data transfer agreement covering the transfer of data between institutions. Normally, we assume that only anonymous data is transferred All data exports do not take place between a manager and a subcontractor – some transfers take place to another responsible person or take place between common processors, and some transfers may be responsible for both the processor and the person responsible for the transfer and transfer of personal data to the processor. What must be included in the agreement depends on the use of a waiver, a derogation or other transfer mechanism to legitimize the transfer of personal data. For some transmission mechanisms, it may be useful to include the mechanism in the agreement itself, for example. B when controller SSCs are used. They should also refer to other relevant agreements. You should consider (especially if you are a controller) direct and indirect transfers (redirects) for both current and future transfers. A direct transfer is made when the recipient of the information with which the exporter issues a contract is established outside the EEA. An indirect transfer would take place if the beneficiary of the contract is based in the EEA, but hires other processors or subcontractors outside the EEA, including the group companies.
In each scenario, the parties should understand and record the underlying personal data that is transferred in order to know their own responsibilities and the responsibilities of the third party concerned that are expressed in the transfer agreement.